You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Claude Shannon proved that any encryption algorithm possessing these characteristics is absolutely secure:

1. The encryption keys must be random numbers of uniform distribution.

2. The keys must be shared in absolute secrecy by the sender and receiver.

3. Any key encrypting a message must be as at least as long as that message.

4. Any key used to encrypt a message must not be reused.

I get This from "Claude Elwood Shannon - Collected Papers" edited by N. J. A. Sloane and Aaron D. Wyner.

Because storage media has become so very dense, over the last several decades it has become very convenient to use such algorithms.

I am surprised that so many Internet articles recommend against it.

Small businesses trying to bring innovations to the market suffer hacking by organizations that can afford a room full of large servers. Is this good for the economy?

I would rather send an armored car full of memory devices to each of my partners than get innovations stolen.

I appreciate the need to keep such algorithms out of the hands of criminals. If we need to register users of strong encryption, I would go along with that. The government can investigate me all it wants. I am willing to share encrypted messages with U. S. citizens only.

Can anybody think of a system that the government would like.

Keep in mind that patent laws have been changed to award patents to those who are first to patent, not those who have witnessed proof that they were the first to conceive of the invention. This makes hacking very profitable. The hacking organization patents any concept that they can find and they can afford to keep small businesses in court forever on the remainder.

It's just hard to implement. Let's go through each point to explain why:

The encryption keys must be random numbers of uniform distribution.

This is the worst problem. It's not easy to generate a truly random key of significant length. The only way to generate truly random data is through user input: I.E: ask the user to smash the keyboard for 10 minutes. Most users aren't willing to go through this.

The keys must be shared in absolute secrecy by the sender and receiver.

This is almost impossible in today's world. The only way to do this is to physically meet the person and give them the key, and even that can be observed by surveillance equipment.

Any key encrypting a message must be as at least as long as that message.

This is simple for small messages, but the problems with large key sizes grow exponentially. A key that encrypts a 100GB back up must be 100GB or more? I think you see the issue here.

Any key used to encrypt a message must not be reused.

This is actually the easiest problem to deal with, but complicates the other problems, especially if a message must be read more than once.

There might be a reason why you got no responses on the other thread. For me at least, I don't understand the purpose of your thread. Nevertheless, starting a duplicate thread on the same topic is not how things are done around here.

There might be a reason why you got no responses on the other thread. For me at least, I don't understand the purpose of your thread. Nevertheless, starting a duplicate thread on the same topic is not how things are done around here.

Nor is complaining to the OP TBH... Both of you should be reporting posts that are misplaced/break forum rules with the 'report' button in the bottom right corner of the post.

I am glad to spend $50.00 per month sending media containing random numbers to my communication partners. I recommend it. I also recommend calling the FBI and telling them what I am doing, who I am, who my communication partners are, and promising them that I will keep the pain text for their examination.

What is absolutely critical is this: No person or organization other than the American government may anonymously learn the content of my chemical and computing trade secrets, and my research in progress.

On the subject of the inconvenience to the general market, I realize that few are willing to go to great lengths to protect their communication. For them, a lesser level of security my be appropriate. I do not recommend algorithms that use number theory insights, reused keys, or rely on mere complexity. I recommend using the one-time pad with something less than truly random numbers generated by hardware random number generators.

First, I would point out that the art of making pseudo random numbers has advance considerably, This makes the transformation of a billion truly random numbers to another billion pseudo random numbers by means of employing only ten million additional random numbers such that the use of the transformed numbers presents a greater challenge to statisticians than any existing convenient algorithm.

This means that pads can be extended to last much longer than would otherwise be the case. I don't care about this because I can afford the $50.00 dollars per month, but it might be of interest to some.

The key here is that some data MUST be protected FOREVER, and email must be use to keep up with the speed of business. Why do you think that embassies and military organization use it?

I hope American citizens preserve the right to use the strongest possible encryption and use it with appropriate sensitivity to the problem of criminality and terrorism.

I also hope that you understand this: I don't get what I need from any other type of encryption.

If you want your data in transit to be completely unintelligible to an observer, and cost is of no object, then you should seriously look into Quantam Cryptography (Link points to the Wikipedia page, but that is of course only a start). A few companies already use this for extremely sensitive intra- and inter-office communications.

For what it's worth, I agree with your stance on encryption. I simply pointed out issues of getting it 'to the masses' as it were for the sake of discussion - it's definitely something you needed to consider. I disagree with your point about informing the government, but that is a political view and not appropriate for this topic (or for that matter anywhere on this forum outside the Speak Easy).

For those who insist on the convenience of communicating keys more conveniently at some additional risk but without much cost, I want to point out that changing and expanding the pad monthly by sending a small amount of data by postal mail or over the phone can achieve more security than is realized by existing convenient algorithms.

Consider a letter that asks the project team to modify and expand the existing pad by using program 257 from a shared library of programs, or by using the following shared functions: 18, 93, 86, and 71 in that order.

A string of arguments in a letter to be used by a function or program is very hard to deduce in this context.

Unlike encryption software that gets popular and is the same for many users, this approach would surely cause all communicating groups to use different programs and functions - of which there are at least millions. The number of unique combinations of functions is very large

A relatively simple thing link using half of the pad to permute the other half or interleave the pad makes things very difficult for any statistician. Imagine the difficulty of contending with the uncertainty created by more complex ideas like the one stated above.

I would like to see this done very widely. I would like to discuss such software designs with anyone interested.

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.